Professional Documents
Culture Documents
1/9
Limitations of sandboxes
Only the behaviors associated to the taken paths can be monitored Forced multi-path exploration Assumption: the behavior of the program depends on the output of the syscalls it executes Track dependencies between syscalls output and program variables Detect untaken paths and force the execution of these paths by computing new program states that satisfy the path conditions
http://www.ecsl.cs.sunysb.edu/tr/TR238.pdf http://www.iseclab.org/papers/explore.pdf
2/9
Limitations of sandboxes
Only the behaviors associated to the taken paths can be monitored Forced multi-path exploration Assumption: the behavior of the program depends on the output of the syscalls it executes Track dependencies between syscalls output and program variables Detect untaken paths and force the execution of these paths by computing new program states that satisfy the path conditions
http://www.ecsl.cs.sunysb.edu/tr/TR238.pdf http://www.iseclab.org/papers/explore.pdf
2/9
Limitations of sandboxes
Conditional Code Obfuscation
Historically, encryption, polymorphism and other obfuscation schemes have been primarily employed to thwart anti-virus tools and static analysis based approaches. Dynamic analysis based approaches inherently overcome all anti-static analysis obfuscations, but they only observe a single execution path. Malware can exploit this limitation by employing trigger-based behaviors such as time-bombs, logic-bombs, bot-command inputs, and testing the presence of analyzers, to hide its intended behavior.
3/9
Limitations of sandboxes
Conditional Code Obfuscation
Recent analyzers provide a powerful way to discover trigger based malicious behavior in arbitrary malicious programs
Exploration of multiple paths during execution of a malware
4/9
5/9
Limitations of sandboxes
Conditional Code Obfuscation
6/9
Limitations of sandboxes
Conditional Code Obfuscation
Malware Slapper worm (P2P Engine) Slapper worm (Backdoor) BotNET (An IRC Botnet Server) passwd rookit login rootkit top rootkit chsh rootkit
M. triggers 28 1 52 2 3 2 4
Strong 1 52 2 2 2
Med. 28 -
Weak 2
None 1 2 -
7/9
First, analyzers may be equipped with decryptor to reduce the search space of keys by taking the input domain into account. Another approach can be to move more towards input-aware analysis. Rather than capturing binaries only, collection mechanisms should capture interaction the binary with its environment if possible. In case of bots, having related network traces. Existing honeypots already have the capability to capture network activity. Recording system interaction can provide more information about the inputs required by the binary.
8/9
First, analyzers may be equipped with decryptor to reduce the search space of keys by taking the inputKruegel, domain and into account. Andreas Moser, Christopher Engin Kirda, Exploring
Multiple Execution formore Malware Analysis , Proceedings of Another approach can be Paths to move towards input-aware analysis. the 2007 IEEE Symposium on Security and Privacy, 2007 Rather than capturing binaries only, collection mechanisms should Monirul Sharif, Andrea Lanzi, Gin and Lee, capture interaction the binary withJonathon its environment if Wenke possible. In case Impeding Malware Analysis Using Conditional Code of bots, having related network traces.
Existing honeypots already have Symposium the capability to capture network Distributed System Security (NDSS08) , 2008 activity. Recording system interaction can provide more information about the inputs required by the binary.
8/9
Detecting sandboxes
Red-pill A program capable of detecting if it is executed in an emulator
CPU
(Week 3-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
EMU
Jul 1, 2013Week 3-4 9/9
http://www.usenix.org/events/woot09/tech/full_papers/paleari.pdf
Detecting sandboxes
Red-pill A program capable of detecting if it is executed in an emulator
void main() { redpill = \x08\x7c\xe3\x04...; if (((void (*)())redpill)()) { // Executed on physical CPU return CPU; } else { // Executed on emulated CPU return EMU; } }
http://www.usenix.org/events/woot09/tech/full_papers/paleari.pdf
(Week 3-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-4 9/9
Detecting sandboxes
Red-pill A program capable of detecting if it is executed in an emulator Some numbers. . .
BOCHS Pin Valgrind QEMU
50 100 150 200 250 300 350 400 450 500 550
State dierences:
http://www.usenix.org/events/woot09/tech/full_papers/paleari.pdf
(Week 3-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-4 9/9